Security is a major concern when storing data in a public cloud. Azure provides a set of comprehensive security capabilities to address these concerns. They can help developers to build secure applications in the cloud. In this section, we will mainly focus on the concept of Shared Access Signatures (SAS). You will also take a look at the Storage Service Encryption (SSE). The following are the security capabilities offered by Azure Storage:
Encryption Azure encrypts all data written to Azure Storage automatically using the Storage Encryption Service. SSE is enabled on all new storage accounts and cannot be disabled.
Authentication Azure Storage supports Azure AD–based authentication for Azure Blobs and Azure Queues. Using RBAC, you can control the access to the storage account.
Data in Transit Client-side encryption, SMB, or HTTPS can be used to secure the data in transit.
Azure Disk Encryption Using Azure Disk Encryption (ADE), you can encrypt OS disks and data disks of Windows and Linux virtual machines in Azure.
Shared Access Signatures (SAS) You can control fine-grained access to data objects using SAS keys. Also, you can define time-bound access.
Now that you know the authentication methods, you will see how you can authorize these requests.
Authorization Options
You have read multiple times that storage accounts can be accessed from anywhere in the world, and all the requests coming to the storage services should be authenticated. In Exercise 6.1, you used anonymous access, which means you haven’t used any usernames, passwords, or keys for accessing the object. The purpose of authorization is to make certain that the contents of the storage account are accessible only to the authorized people and only when you want them to be. The following are the authorization options available to Azure Storage:
Azure AD Using Azure AD, you can authorize access to Azure Storage via role-based access control (RBAC). With RBAC, you can assign fine-grained access to users, groups, or applications.
Shared Key Every storage account has two keys: primary and secondary. The access keys of the storage account will be used in the Authorization header of the API calls.
Shared Access Signatures Using SAS, you can limit access to services with specified permissions and over a specified timeframe.
Anonymous Access to Containers and Blobs If you set the access level to blob or container, you can have public access to the objects without the need to pass keys or grant authorization. In Exercise 6.1, you accessed the object using anonymous access.
Now you will take a deep dive to Shared Access Signatures.
